Problems with adding multi-value field through /va...

orpiczy · ‎06-05-2025

Hi Fellow Splunkers,
How can I add multi-value field (array) directly to the index through `/var/spool/splunk`.
I tried multiple approaches:

1. Dict
==##~~##~~ 1E8N3D4E6V5E7N2T9 ~~##~~##==
{ "array_field":["1", "2"], "count": "2", ... }

2. Classic
==##~~##~~ 1E8N3D4E6V5E7N2T9 ~~##~~##==
... , array_field=["1", "2"], count="2", ...

I achieved best results with Dict approach. Added field correctly has multiple values, however ... to key ("array_field") splunk adds {}, resulting in incorrect key ("array_field{}")

Do you have any suggestions?

yuanliu · ‎06-05-2025

You will need some compromise one way or another. Any specific reason why array_field{} is unacceptable? If anything, you can use field alias to allow use of array_field. Alternatively you can use calculated field to alter a key-value entry ("classic"), e.g., comma_delimited_field="1,2", then use split to calculate array_field.

Problems with adding multi-value field through /var/spool/splunk

field extraction

fields

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation